Feedback
Table Of Contents
IDS (Intrusion Detection System) Faults
Fault Descriptions
This section provides the following information on the faults displayed in Faults > Display Faults. The following information is provided:
•
Fault—The fault as it appears in the Display Faults table.
•
•
•
Fault tables are provided for each device type:
•
Access Point /Bridge Faults
Table 2-1 Access Point Faults
Access point ssid reclassified from Friendly to Rogue due to rule
An access point that was previously determined to be Friendly has been reclassified to Rogue:
ssid is the Service Set Identifier of the unmanaged radio's BSS.
rule is one of the following:
•
The estimated proximity of the unmanaged radio between two observers has switched—if the WLSE thought that observer A was closer to radio R than observer B, it now thinks that observer B is closer to radio R than observer A.
•
While radio R's strength changed by factor M between observer A and observer B, it changed by factor M+T between observer B and observer C. That is, it does not
IDS > Manage Network-Wide IDS Settings > Rogue AP Detection > Friendly to Rogue AP Reclassification
or
IDS > Manage Rogues
Use the fault details page to mark it friendly if the AP is known, or to delete it from the WLSE database if it is an unknown AP.
Access point ssid reclassified from Friendly to Rogue due to rule
(continued)
appear that radio R's change in strength is merely due to a change in its power configuration.
•
•
AP CPU utilization is Degraded (utilization %)
The fault threshold set for the degraded state has been exceeded.
When this fault has been cleared, the following message displays: AP CPU utilization is Ok.
Manage Fault Settings > Access Point/Bridge Thresholds > CPU Utilization
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
AP CPU utilization is Overloaded (utilization %)
The fault threshold set for the overloaded state has been exceeded.
When this fault has been cleared, the following message displays: CPU utilization is Ok.
Manage Fault Settings > Access Point/Bridge Thresholds > CPU Utilization
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
AP is not registered with a WDS
The managed access point is not registered with any WDS.
For Radio Manager functionality to work, all access points must register with a WDS. If an access point is not registered, it will be excluded from all the Radio Manager procedures, which will provide incorrect results.
Manage Fault Settings > Access Point/Bridge > Registration Error
Verify that the WLCCP AP credentials are configured correctly so that the AP can register with a WDS in its subnet.
For more information, see the managing devices information in the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.15.
AP memory utilization is Degraded (utilization %)
The fault threshold set for the degraded state has been exceeded.
When this fault has been cleared, the following message displays: AP memory utilization is Ok.
Manage Fault Settings > Access Point/Bridge Thresholds > Memory Utilization
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
AP memory utilization is Overloaded (utilization %)
The fault threshold set for the overloaded state has been exceeded.
When this fault has been cleared, the following message displays: AP memory utilization is Ok.
Manage Fault Settings > Access Point/Bridge Thresholds > Memory Utilization
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
AP registered with an Unmanaged WDS: ipAddressOfTheUnManagedWDS
AP is registered with a WDS but that WDS is not managed by WLSE.
When this fault is cleared, the following message displays: AP registered with a managed WDS.
Manage Fault Settings > Access Point/Bridge > Registration Error
Manage the WDS.
Broadcast Key Rotation is disabled
The broadcast key rotation has been disabled.
When this fault is cleared, the following message displays: Broadcast Key Rotation is enabled.
Manage Fault Settings > Access Point/Bridge Policies > Key Rotation per VLAN
Log in to the access point and enable the broadcast key rotation interval.
Device state is rogue access point: ssid
The WLSE detected a rogue access point (where ssid is the Service Set Identifier of the unmanaged radio's BSS). This is an access point that is not being managed and is unknown to the WLSE.
IDS > Manage Network-Wide IDS Settings > Rogue AP Detection
or
IDS > Manage Rogues
Use the fault details page to mark it friendly if the AP is known, or to delete it from the WLSE database if it is an unknown AP.
These faults do not automatically clear after the Rogue AP no longer appears in the network; you must manually delete or clear the fault.
Device was not reachable via SNMP
The SNMP Agent could be down.
Using the SNMP threshold setting, you configure the WLSE to poll the sysUpTime MIB object periodically. If at any time the WLSE fails to poll this MIB object, the WLSE generates this fault.
In addition, if while polling any other MIB objects for other fault policies or thresholds associated with the device, the WLSE observes the device is SNMP unreachable, it generates this fault.
This fault also occurs when you cannot perform an SNMP Walk operation on the device with SNMP enabled.
And lastly, during rediscovery if a previously-discovered device is found to be SNMP unreachable, the WLSE generate this fault.
When this fault is cleared, the following message displays: Device was reachable via SNMP.
Manage Fault Settings > Access Point/Bridge Thresholds > SNMP Reachable
Make sure SNMP is enabled on the device and that the agent is not down.
Take a MIB walk of the device and ensure that the sysUpTime returns a non-zero value, which indicates that the device is reachable.
The SNMP community string in the access point has been changed, and then a discovery job is run.
Not applicable.
Change the SNMP community string on the WLSE to match the new community string on the access point, then run discovery again.
EAP per SSID for Cisco-Supplicant is disabled
The Network EAP or the Open authentication is disabled on this SSID.
When this fault is cleared, the following message displays: EAP per SSID for Cisco Supplicant is enabled.
Manage Fault Settings > Access Point/Bridge Policies > EAP Per SSID Enforced for Cisco-
SupplicantLog in to the access point and enable both Network EAP and Open authentication on that SSID.
EAP per SSID for Non-Cisco-Supplicant is disabled
The Network EAP or the Open authentication is disabled on this SSID.
When this fault is cleared, the following message displays: EAP per SSID for Non-Cisco Supplicant is enabled.
Manage Fault Settings > Access Point/Bridge Policies > EAP Per SSID Enforced for Non-Cisco-
SupplicantLog in to the access point and enable both Network EAP and Open authentication on that SSID.
EAP per SSID for Mixed-Cisco-Supplicant is disabled
The Network EAP or the Open authentication is disabled on this SSID.
When this fault is cleared, the following message displays: EAP per SSID for Cisco Supplicant is enabled.
Manage Fault Settings > Access Point/Bridge Policies > EAP Per SSID Enforced for Mixed-Cisco-
SupplicantLog in to the access point and enable both Network EAP and Open authentication on that SSID.
Ethernet bandwidth utilization is Degraded (utilization %)
The fault threshold set for the degraded state has been exceeded.
When this fault is cleared, the following message displays: Ethernet bandwidth utilization is OK.
Manage Fault Settings > Access Point/Point Thresholds > Ethernet Port Utilization
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Ethernet bandwidth utilization is Overloaded (utilization %)
The fault threshold set for the overloaded state has been exceeded.
When this fault is cleared, the following message displays: Ethernet bandwidth utilization is OK.
Manage Fault Settings > Access Point/Bridge Thresholds > Ethernet Port Utilization
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive frame counts:
•
•
•
•
•
•
•
Firmware version policy violation (version number)
The wrong version number for policy checking has been entered.
When this fault is cleared, the following message displays: Firmware version is valid.
Manage Fault Settings > Access Point/Bridge Policies > Firmware Version
Make sure that the firmware version that is entered in the policy setting matches the firmware version on the access point.
The access point is running an unauthorized firmware version.
When this fault is cleared, the following message displays: Firmware version is valid.
Make sure that you have entered authorized versions in the policy setting.
Update the firmware on the access point to an authorized version.
HotStandBy is active
The access point that is configured for hot standby has become active.
The following conditions could cause the hot standby access point to become active: the primary access point is down, the Ethernet port is down, or the Radio port is down.
When this fault is cleared, the following message displays: HotStandBy is disabled.
Manage Fault Settings > Access Point/Bridge Policies > HotStandby Status
1.
2.
3.
4.
5.
6.
Inconsistent device state found: MIB-name table-name. OID-name problem-details
One or more configuration values of the AP/BR are either out-of-range or are in conflict with another configuration value. The fault description and corresponding swan.log entry provide details about the suspect value, including the official public MIB name of the SNMP OID for which the error was found.
When a radio is declared to have an invalid configuration or has failed, it cannot be manipulated by Radio Management and is removed from SWAN RM operations. For example, if just the 802.11a radio on a WDS is not configured correctly, only that radio is excluded from RM operations; the 802.11b/g radio and the WDS remains fully RM-operational. This behavior can help you isolate the portions of your network that are affected by misconfigurations or failures.
Not applicable.
To resolve an inconsistent configuration, several possibilities exist:
•
•
•
For information about the MIB referenced in the fault description, see http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
MIC is disabled for the VLAN number
MIC is not enabled for the selected VLAN on the access point.
When the fault is cleared, the following message displays: MIC is enabled.
Manage Fault Settings > Access Point/Bridge Policies > MIC per Vlan
Log into the access point and enable the VLAN. Then, using the WLSE fault settings, enable the MIC for that VLAN.
Radar Detected on Channel origChannel
On its current channel, the AP detected likely contention with a radar device, so it needs to leave that channel and find another. The AP will automatically scan for another channel, but might be unable to accept associations for one minute. This one minute delay is the required scan time on another Dynamic Frequency Selection channel that must elapse before the AP can accept associations.
When this fault is cleared, the following message displays: No radar detected on new channel newChannel
Manage Fault Settings > Radio-802.11a Policies > Dynamic Frequency Selection (DFS)
The WLSE will automatically handle the assignment of another channel for those APs affected by the Radar Detection. However, if these faults become common, you should re-run Assisted Configuration (RPG) soon after a DFS event has occurred (or just manually deselect the DFS channel from the Assisted Config Wizard). This will reorganize the site to avoid the affected channel and make future conflicts likely.
Vlan WEP key length policy violation
The WEP key length for the selected VLAN setting has been violated.
When this fault has been cleared, the following message displays: Vlan WEP key length is ok.
Manage Fault Settings > Access Point/Bridge Policies > WEP Encryption per Vlan
Make sure the WEP key length selected in the policy setting matches the access point settings.
WDS appears down.
The WLSE failed to receive "keep active" messages from the WDS. This happens when the WDS is down or when the network is down.
Manage Fault Settings > WDS > WLSE-WDS Link Status
Check the network connectivity, and the WDS status.
WDS Registered with another WLSE (IPaddress)
The WDS is registered with a different WLSE.
Manage Fault Settings > WDS > Authentication Failures
Determine which WLSE is supposed to manage that WDS from an RM perspective. Then modify the wnm configuration on the WDS to point to the correct WLSE.
For more information, see the managing devices information in the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.15.
WEP is disabled
WEP is not enabled for the VLAN defined on the access point. (Note that the VLAN number is displayed in the Type column under Faults > Display Faults.)
When the fault is cleared, the following message displays: WEP is enabled.
Manage Fault Settings > Access Point/Bridge Policies > WEP per Vlan
Make sure you have set the policy correctly for the VLAN.
WLSE failed to authenticate with WDS.
Authentication required to open a WLCCP channel between the WLSE and the WDS failed.
Manage Fault Settings > WDS > Authentication Failures
Verify that the WLSE credentials used to authenticate with the WDS are correct.
For more information, see the managing devices information in the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.15.
Radio Interface Faults
Table 2-2 Radio Interface Faults
AP is in a Degraded state number associated clients
The fault threshold set for the degraded state has been exceeded.
When this fault is cleared, the following message displays: AP is in OK state.
Manage Fault Settings > Radio-802.11x Thresholds > Associated Clients
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
AP is in an Overloaded state number associated clients
The fault threshold set for the overloaded state has been exceeded.
When this fault is cleared, the following message displays: AP is in OK state.
Manage Fault Settings > Thresholds > Access Point > Associated Clients
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Appeared up|down. Compensated for by Up/Down radio(s).
The indicated radio appeared up or down on this AP, so other radios were modified to maintain coverage.
After self healing has been applied to the other AP, this fault indicates the radio that had the failure.
Radio Manager > Self Healing > Finish
Display the Self Healing fault details page, then select the document with the eyeglasses. A list of radios with the old and new power settings is displayed. These radios can compensate for the downed or recovered radio. If self healing is configured to automatically apply changes, then these are the values that were applied. If self healing is configured for manual application of the compensation calculations, then the recommended values are shown with an option to apply them to the indicated radios.
Check the radio to determine why it is down and resolve the problem.
Broadcast SSID is enabled.
The broadcast mode for the SSID on the interface has been disabled.
When this fault is cleared, the following message displays: Broadcast SSID is disabled.
Manage Fault Settings > Radio-802.11x Policies > Broadcast Disabled
Log in to the access point and disable the broadcast mode.
Broadcast is enabled for Radio-x SSID ssid fault.
An SSID, which you do not want broadcast, is being broadcast.
When this fault is cleared, the following message displays: Broadcast is disabled for Radio-x SSID ssid fault.
Manage Fault Settings > Radio-802.11x Policies > Broadcast SSID
Log in to the access point and make sure that the that the SSID, which is in WLSE's "Do not Broadcast SSID" list is not selected for Broadcast on the access point.
Client association rate is Degraded number per minute
The fault threshold set for the degraded state has been exceeded.
When this fault is cleared, the following message displays: Client association rate is OK.
Manage Fault Settings > Radio-802.11x Thresholds > Association Rate
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Client association rate is Overloaded number per minute
The fault threshold set for the overloaded state has been exceeded.
When this fault is cleared, the following message displays: Client association rate is OK.
Compensation determination is in progress
The WLSE determined that a radio was down or back up. Self Healing is attempting to compensate for the failed or recovered radio.
Not applicable.
There is no action necessary; Self Healing is attempting to adjust the power on other neighboring radios (which can be on other floors) to maintain coverage.
Compensation calculation did not complete due to errors
Errors forced the cancellation of Self Healing compensation calculations.
Not applicable.
Display the Self Healing fault details page, then select the document with the eyeglasses. The error messages displayed on this page will explain the problem.
Determine the action necessary to clear the fault condition.
Compensation finished with errors
Self Healing compensation calculations finished but there were errors. For example, a power change cannot be applied to a radio because:
1) The community strings for the device are wrong for the AP.
2) AP is down or unreachable
3) Wrong configuration set on the radio
Not applicable.
Determine the action necessary to clear the fault condition.
For example, if WLSE determines that five radios are needed to compensate for a down radio and only one has bad community strings, the changes to the other four radios will take place.
Compensation did not complete due to timeout of timeout (mins)
Self Healing compensation calculations took longer than 30 minutes.
Not applicable.
Display the Self Healing fault details page, then select the document with the eyeglasses. The error messages displayed on this page will explain the problem.
Determine the action necessary to clear the fault condition.
EAP is disabled
The EAP per SSID has been disabled.
When this fault is cleared, the following message displays: EAP is enabled
Manage Fault Settings > Radio-802.11x Policies >
EAP Enforced for
Cisco Supplicant/
Non-Cisco Supplicant/
Mixed-Cisco SupplicantLog in to the access point and enable the Network EAP and Open authentication.
Infrastructure SSID policy violation
The infrastructure SSID does not match the infrastructure SSID set on the access point.
When this fault is cleared, the following message displays: Infrastructure SSID is valid.
Manage Fault Settings > Radio-802.11x Policies > Infrastructure SSID
Log in to the access point and make sure the WLSE's Infrastructure SSID matches the access point infrastructure SSID
Not Monitored because: reason, Ignored
To qualify for Self Healing, an AP must:
•
•
The faults will clear when the WDS/WLSE is reauthenicated and Radio Monitoring is enabled correctly.
Number of CCMP Replay Discarded is Overloaded.
The fault threshold set for the overloaded state has been exceeded.
When the fault is cleared, the following message displays: Number of CCMP Replays Discarded is OK.
IDS > Manage IDS Settings > IDS-802.11x > CCMP Replays Discarded
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Packet Error is in Degraded state (error rate %)
The fault threshold set for the degraded state has been exceeded.
When this fault is cleared, the following message displays: Packet Error is in OK state.
Manage Fault Settings > Radio-802.11x Thresholds > RF Port Packet Errors
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
The radio interfaces on the devices may be very under utilized, which can trigger the degradation problem.
For example, if a total of three packets are sent over the radio, and two of them are corrupt, the percentage would be 2/3 = 66%, and could trigger the alarm.
Remove the alarm from the profile associated with these devices.
Packet Error is in Overloaded state (error rate %)
The fault threshold set for the overloaded state has been exceeded.
When this fault is cleared, the following message displays: Packet Error is in OK state.
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Port is administratively set to down
The port has been set to Down by the administrator.
When this fault is cleared, the following message displays: Port is up
Manage Fault Settings > Radio-802.11x Thresholds > RF Port Status
There is no action necessary; the port has been deliberately shut down.
Port is down
The port is operationally down.
When this fault is cleared, the following message displays: Port is up
Manage Fault Settings > Radio-802.11x Thresholds > RF Port AdminStatus
Check the device to determine why the port is down.
If you have added or removed an interface from an access point, the WLSE might generate an erroneous fault. See What are the results of adding or removing an interface from an access point?.
The fault RF Port AdminStatus is enabled by default and must remain enabled with a default polling time of 5 minutes. Self healing ignores any radio set as administratively down, but this can only be detected if fault polling is enabled.
PSPF is disabled
The PSPF port has been disabled.
PSPF (Publicly Secure Packet Forwarding) is a feature that prevents client devices associated to a bridge or access point from inadvertently sharing files with other client devices on the wireless network.
When the fault is cleared, the following message displays: The PSPF is enabled.
Manage Fault Settings > Access Point/Bridge Policies > PSPF Enabled
Log in to the access point and enable the PSPF setting.
Requires healing: %reason%.
The indicated radio appeared up or down on this AP. Self Healing has been started.
After compensation results have been for other radios, this fault indicates the radio that had the failure.
Not applicable.
There is no action necessary; Self Healing will attempt to adjust the power on other radios on the floor to maintain coverage.
Possible reasons self healing is required:
•
•
•
Retry Count rate is Degraded number per minute
The retry count rate alarm indicates if the wireless medium is congested. The alarm will be raised if the MSDU retransmission rate per minute is greater than the specified threshold. For example, if the overloaded state is set to greater than 90, a fault will be raised for an interface that has more than 90 MSDUs that required retransmission in a minute.
When the fault is cleared, the following message displays: Retry Count rate is OK.
Manage Fault Settings > Radio-802.11x Thresholds > Max Retry Count
Verify the threshold settings. There could be too many clients or access points located near the radio interface for which fault is raised. Clear the alarm and increase the threshold, or reduce the polling time.
Retry Count rate is Overloaded number per minute
RF bandwidth utilization is Degraded (utilization %)
The fault threshold set for the degraded state has been exceeded.
When the fault is cleared, the following message displays: RF bandwidth utilization is OK
Manage Fault Settings > Radio-802.11x Thresholds > RF Port Utilization
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
RF bandwidth utilization is Overloaded (utilization %)
The fault threshold set for the overloaded state has been exceeded.
When the fault is cleared, the following message displays: RF bandwidth utilization is OK
Serving and non-serving channel Radio Monitoring must be enabled
For Self Healing to work, all radios on the floor must be configured with Radio Monitoring. The fault will indicate which radios need to be configured with both serving and non serving radio monitoring.
When the fault is cleared, the following message displays: Qualifies for Self Healing Monitoring.
Not applicable.
Enable Radio Monitoring for both serving and non-serving channels.
Or, use the Location Manager tool, Verify RM Capability.
WEP Error is in Degraded state (error rate %)
The fault threshold set for the degraded state has been exceeded.
When this fault has been cleared, the following message displays: WEP Error is in OK state
Manage Fault Settings > Radio-802.11x Thresholds > RF Port WEP Errors
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
WEP Error is in Overloaded state (error rate %)
The fault threshold set for the overloaded state has been exceeded.
When this fault has been cleared, the following message displays: WEP Error is in OK state
WEP key length policy violation
The WEP key length setting has been violated.
When this fault has been cleared, the following message displays: WEP key length is OK.
Manage Fault Settings > Radio-802.11x Policies > WEP Key Length
Check the WEP key settings on the interface to make sure they match the WLSE settings.
IDS (Intrusion Detection System) Faults
Table 2-3 IDS Faults
802.11-B/G Interference Detected
- or -
802.11-A Interference Detected
The WLSE detected a non-802.11 interference.
IDS > Manage Network-Wide IDS Settings > Interference Detection
Look at the fault description to determine which AP reported the interference, then take corrective action by removing the interference source.
Ad-hoc network creation detected: ssid
An ad-hoc network was formed by some wireless clients (where ssid is the Service Set Identifier of the UnmanagedRadio's BSS). One of your infrastructure APs or other clients sent this information to the WLSE via your WDS setup.
IDS > Manage Network-Wide IDS Settings > Ad-hoc Network Detection
If the information is available, the WLSE will show the clients that are participating in the network (and that it can detect) in the fault details page. Use the Location Manager to find these APs and verify that this is not a security issue.
Ad-hoc network ssid reclassified from Friendly to Rogue due to rule
An ad-hoc network that was previously determined to be Friendly has been reclassified to Rogue.
ssid is the Service Set Identifier of the unmanaged radio's BSS.
rule is one of the following:
•
The estimated proximity of the unmanaged radio between two observers has switched—if the WLSE thought that observer A was closer to radio R than observer B, it now thinks that observer B is closer to radio R than observer A.
•
While radio R's strength changed by factor M between observer A and observer B, it changed by factor M+T between observer B and observer C. That is, it does not appear that radio R's change in strength is merely due to a change in its power configuration.
•
•
IDS > Manage Network-Wide IDS Settings > Ad-hoc Network Detection > Friendly to Rogue AP Reclassification
or
IDS > Manage Rogues
Use the fault details page to mark it friendly if the network is known, or to delete it from the WLSE database if it is unknown.
Bad MIC while MFP enabled
This fault is raised against the AP that is observed generating the violation.
Not applicable.
Investigate the possibility that a rogue AP is conducting a spoofing attack against the managed network. Also, make sure that an MFP configuration error (see MFP Configuration error (Detect disabled; should be enabled)) is not the root cause of the MFP Validation error. It is also possible that communications problems between the WDS and its registered APs have prevented MFP key rotation messages from reaching either the detector or generator AP.
Bad Sequence Number while MFP enabled
This fault is raised against the AP that is observed generating the violation.
Not applicable.
CCMP DecryptErrorsClient is detected
The fault threshold has been exceeded for the number of decryption errors detected by the CCMP play mechanism on the interface.
IDS > Manage IDS Settings > CcmpDecryptErrorsClient
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
CCMP Replay Client is detected
The fault threshold set has been exceeded.
When this fault is cleared, the following message displays: There is no CCMP Replay detected
IDS > Manage IDS Settings > General Settings > CcmpReplaysClient
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Client association rate is Degraded number per minute
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Client association rate is OK.
IDS > Manage IDS Settings > IDS-802.11x > Authentication Error Rate
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition
Client authentication error rate is Degraded number per minute
The fault threshold set for the degraded state has been exceeded.
When this fault is cleared, the following message displays: Client association error rate is OK.
IDS > Manage IDS Settings > IDS-802.11x > Authentication Error Rate
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Client authentication error rate is Overloaded number per minute
The fault threshold set for the overloaded state has been exceeded.
When this fault is cleared, the following message displays: Client association error rate is OK.
Client TKIP RemoteMICFailure is detected
A wireless client has detected a MIC failure. The MIB value that is polled is cDot11WidsTkipRemoteMicFailures.
When this fault is cleared, the following message displays: There is no TKIP RemoteMICFailure detected.
IDS > Manage IDS Settings > General IDS Settings > TkipRemoteMicFailureClient
Occasionally MIC failures can occur during key rotation. To diagnose the problem, you should:
•
•
•
EAPOL FLOOD is detected (Flood count: floodcount)
The fault threshold has been exceeded.
When this fault is cleared, the following message displays: There is no EAPOL Flood detected.
IDS > Manage IDS Settings > General IDS Settings > EAPOL Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition
Excessive Action Frames in Channel: channel [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Action Frames not present in Channel.
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Action Frames from STA: station [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Action Frames from STA: station not present
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Association Frames in Channel: channel [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Association Frames not present in Channel: channel
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Association Frames from STA: station [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Association Frames from STA: station not present
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Authentication Frames in Channel: channel [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Authentication Frames not present in Channel.
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Authentication Frames from STA: station [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Authentication Frames from STA: station not present
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Deauthentication Frames in Channel: channel [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Deauthentication Frames not present in Channel.
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Deauthentication Frames from STA: station [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Deauthentication Frames from STA: station not present
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Disassociation Frames in Channel: channel [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Disassociation Frames not present in Channel.
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Disassociation Frames from STA: station [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Disassociation Frames from STA: station not present
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Probe Frames in Channel: channel [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Probe Frames not present in Channel.
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Probe Frames from STA: station [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Probe Frames from STA: station not present
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Reassociation Frames in Channel: channel [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Reassociation Frames not present in Channel.
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Excessive Reassociation Frames from STA: station [Frames: framecount,Interval:windowsize]
The fault thresholds been exceeded.
When this fault is cleared, the following message displays: Excessive Reassociation Frames from STA: station not present
IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
MFP Configuration error (Detect disabled; should be enabled)
This fault is raised against an AP that contains an MFP-related configuration error.
Note
Not applicable.
Restart the affected AP.
MFP Timebase Invalid (bad SNTP)
This fault is raised against an AP that has a bad timebase.
Configure > Templates > Services > SNTP
Configure the AP to reference an SNTP server.
No MIC while MFP Enabled
This fault is raised against the AP that is observed generating the violation.
Not applicable.
Number of CCMP Replay Discarded is Degraded.
The fault threshold set for the degraded state has been exceeded.
When the fault is cleared, the following message displays: Number of CCMP Replays Discarded is OK.
IDS > Manage IDS Settings > IDS-802.11x >CCMP Replays Discarded
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Number of CCMP Replay Discarded is Overloaded.
The fault threshold set for the overloaded state has been exceeded.
When the fault is cleared, the following message displays: Number of CCMP Replays Discarded is OK.
Number of EAPOL Flood Count is Degraded
The fault threshold set for the degraded state has been exceeded.
When this fault is cleared, the following message displays: EAPOL Flood Count is OK.
IDS > Manage IDS Settings > General IDS Settings > EAPOL Detection
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Number of EAPOL Flood Count is Overloaded
The fault threshold set for the overloaded state has been exceeded.
When this fault is cleared, the following message displays: EAPOL Flood Count is OK.
Number of TKIP counter measure is Degraded.
The fault threshold set for the degraded state has been exceeded.
When the fault is cleared, the following message displays: Number of TKIP Counter Measure is OK.
IDS > Manage IDS Settings > IDS-802.11x >TKIP Counter Measure Invoked
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Number of TKIP counter measure is Overloaded.
The fault threshold set for the overloaded state has been exceeded.
When the fault is cleared, the following message displays: Number of TKIP Counter Measure is OK.
Number of TKIP Local MIC failures is Degraded.
The fault threshold set for the degraded state has been exceeded.
When the fault is cleared, the following message displays: Number of TKIP Local MIC failures is OK.
IDS > Manage IDS Settings > IDS-802.11x >TKIP Local MIC failures
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Number of TKIP Local MIC failures is Overloaded.
The fault threshold set for the overloaded state has been exceeded.
When the fault is cleared, the following message displays: Number of TKIP Local MIC failures is OK.
Number of TKIP Remote MIC failures is Degraded.
The fault threshold set for the degraded state has been exceeded.
When the fault is cleared, the following message displays: Number of TKIP Remote MIC failures is OK.
IDS > Manage IDS Settings > IDS-802.11x >TKIP Remote MIC failures
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Number of TKIP Remote MIC failures is Overloaded.
The fault threshold set for the overloaded state has been exceeded.
When the fault is cleared, the following message displays: Number of TKIP Remote MIC failures is OK.
Number of TKIP replay errors is Degraded.
The fault threshold set for the degraded state has been exceeded.
When the fault is cleared, the following message displays: Number of TKIP replay errors is OK.
IDS > Manage IDS Settings > IDS-802.11x >TKIP Replays Detected
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Number of TKIP replay errors is Overloaded.
The fault threshold set for the overloaded state has been exceeded.
When the fault is cleared, the following message displays: Number of TKIP replay errors is OK.
Radio Role must be "roleScanner" to support Frame Monitoring (was x).
This fault is raised when a radio is initially configured for Frame Monitoring (where x is the integer value of the SNMP OID cd11IfStationRole from the CISCO-DOT11-IF-MIB), but then someone configures the radio out of scanning-only mode. As a side effect, this also disables Frame Monitoring.
When this fault is cleared, the following message displays: Radio Role is "roleScanner" and supports Frame Monitoring.
Radio Mgr > Frame Monitoring
Review your network to determine the action necessary to clear the fault condition.
Although this situation might simply be that an administrator no longer needs to monitor or scan a portion of their site any longer, it could also be an intruder who has somehow gained console access to a Scanning AP and is attempting to "blind" IDS services for a portion of a site.
TKIP Replay is detected
The fault threshold set has been exceeded.
When this fault is cleared, the following message displays: There is no TKIP Replay detected.
IDS > Manage IDS Settings > General IDS Settings > TkipReplayClient
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
TKIP LocalMICFailure is detected
The fault threshold set has been exceeded.
When this fault is cleared, the following message displays: There is no TKIP LocalMICFailure detected.
IDS > Manage IDS Settings > General IDS Settings > TkipLocalMicFailureClient
Verify that the fault threshold is set correctly.
If the threshold is set correctly, review your network to determine the action necessary to clear the fault condition.
Unexpected MIC while MFP Disabled
This fault is raised against the AP that is observed generating the violation.
Not applicable.
Unregistered Client(s) present
One or more unregistered clients have been detected in the wireless network, and are unsucessfully attempting to authenticate with the APs.
The unregistered client fault is triggered when an AP in scanning mode detects a number of probe requests and association requests from a station, client, or access point, which crosses the configuired threshold in the configured time.
The registration attempts are not being made to the scanning AP; the attempts are being made to regular APs that the scanning AP notices.
The scanning AP counts the packets per station.
IDS > Manage IDS Settings > General IDS Settings > Unregistered Client
Set the priority of the fault to be generated and the threshold for the failed authentication attempts by the client.
Make a physical check near the scanning AP that reported this fault to see if there are any rogue clients.
(The fault is generated based on the configured Client Registration Request Count within a 15-minute period. The default is 100 registrations, but can be changed to 200, 300, 400 or 500. )
This fault is cleared when no registration attempts are detected during the observation interval (the client leaves the wireless network or is not seen or reported by any Scanning APs).
Wireless Client MAC spoofing detected
The WLSE has detected a spoofed MAC address.
Whenever the WDS detects an authentication taking place for a known MAC address, it verifies that the same user ID is being used. If the user ID does not match, the authentication is rejected and a fault is issued.
When this fault is cleared, the following message displays: No Wireless Client MAC Spoofing Detected.
IDS > Manage IDS Settings > General IDS Settings > Wireless Client MAC Spoofing
Review your network to determine the action necessary to clear the fault condition.
Voice Faults
WLSE Faults
AAA Server Faults
Switch Faults
Router Fault
WLSM Faults